{"id":51832,"date":"2023-05-09T15:12:54","date_gmt":"2023-05-09T15:12:54","guid":{"rendered":"https:\/\/packetstormsecurity.com\/news\/view\/34594\/Royal-Ransomware-Gang-Quickly-Expands-Reign.html"},"modified":"2023-05-09T15:12:54","modified_gmt":"2023-05-09T15:12:54","slug":"royal-ransomware-gang-quickly-expands-reign","status":"publish","type":"post","link":"https:\/\/www.threatshub.org\/blog\/royal-ransomware-gang-quickly-expands-reign\/","title":{"rendered":"Royal Ransomware Gang Quickly Expands Reign"},"content":{"rendered":"<div><img decoding=\"async\" src=\"https:\/\/files.scmagazine.com\/wp-content\/uploads\/2023\/05\/Royal-Ransomware-Group.jpg\" class=\"ff-og-image-inserted\"><\/div>\n<p>The Royal ransomware group is aptly named. There\u2019s an air of superiority in the way it taunts its victims. Royal\u2019s members are the cream of the cybercriminal crop, and they know it.<\/p>\n<p>The group\u2019s swagger is evident in a README.txt ransom note dropped on one of its victims and obtained by Palo Alto Networks\u2019 Unit 42.<\/p>\n<p>\u201cMost likely what happened was that you decided to save some money on your security infrastructure,\u201d the note reads. \u201cAlas, as a result your critical data was not only encrypted but also copied from your systems.\u201d<\/p>\n<p>Royal has <a href=\"https:\/\/www.scmagazine.com\/news\/ransomware\/royal-ransomware-attacks-spreading-critical-infrastructure\" target=\"_blank\" rel=\"noreferrer noopener\">become increasingly active this year<\/a>, using a wide variety of tools as it aggressively targets critical infrastructure organizations.<\/p>\n<p>In a <a rel=\"noreferrer noopener\" href=\"https:\/\/unit42.paloaltonetworks.com\/royal-ransomware\" target=\"_blank\">post<\/a> published Tuesday, Unit 42 says that according to Royal\u2019s leak site, the group has been responsible for impacting 157 organizations since its inception last year.<\/p>\n<p>\u201cRoyal ransomware has impacted a variety of industries, including small businesses and large corporations alike. Based on information from their leak site and public reporting outlets, we can see that Royal ransomware has impacted industries such as manufacturing, as well as wholesale and retail,\u201d researchers wrote.<\/p>\n<h2>A focus on critical infrastructure<\/h2>\n<p>Over a period of a few months last year, the group boasted it impacted 14 manufacturing organizations. It has claimed to have further targeted 26 manufacturing organizations so far this year.<\/p>\n<p>Royal has hit eight healthcare organizations since its inception, with the U.S. Department of Health and Human Services <a rel=\"noreferrer noopener\" href=\"https:\/\/www.hhs.gov\/sites\/default\/files\/royal-blackcat-ransomware-tlpclear.pdf\" target=\"_blank\">issuing a warning<\/a> in January about the threat its ransomware posed to the healthcare sector.<\/p>\n<p>There have also been seven strikes against local government entities in the U.S. and Europe, including its recent <a href=\"https:\/\/www.scmagazine.com\/brief\/ransomware\/dallas-impacted-by-royal-ransomware-attack\" target=\"_blank\" rel=\"noreferrer noopener\">attack on the city of Dallas<\/a>.<\/p>\n<p>And it has impacted 14 organizations in the education sector, including school districts and universities, with four of those institutions hit in the first few days of this month alone.<\/p>\n<p>Most of Royal\u2019s victims (64%) are in the U.S., with Canadian organizations being its second most popular target (9%).<\/p>\n<p>The breadth of Royal\u2019s attacks to date \u201cdemonstrates the potential for broader and more severe consequences,\u201d Unit 42 warns.<\/p>\n<h2>Operatives with years of experience<\/h2>\n<p>While Royal was first observed compromising systems and using multi-extortion to pressure victims in September 2022, it was linked to a previous ransomware family named Zeon, which surfaced nine months earlier.<\/p>\n<p>Unit 42 researchers say it\u2019s likely most members of Royal are former operatives of the Conti ransomware group.<\/p>\n<p>\u201cBecause some of the people behind this threat were part of the development of Ryuk, which is the predecessor of Conti, they have many years of experience. This means they have a solid base for carrying out attacks and know what works when extorting victims,\u201d according to Unit 42.<\/p>\n<p>Royal has been known to demand ransoms of up to $25 million in bitcoin and the group\u2019s tactics include leveraging its leak site to publicly extort victims into paying up.<\/p>\n<p>\u201cThe Royal group will harass victims until the payment is secured, using techniques such as emailing victims and mass-printing ransom notes,\u201d researchers said.<\/p>\n<p>The group was active on Twitter until its <a href=\"https:\/\/twitter.com\/lockerroyal\" target=\"_blank\" rel=\"noreferrer noopener\">account<\/a> was suspended recently. It often used the platform to announce its compromises, tagging the victim in its posts.<\/p>\n<p>\u201cIt\u2019s not unusual to see threat actor groups create social media accounts to keep spreading their brand and announcements. It\u2019s clear that this group is trying to get attention from multiple organizations through any means necessary,\u201d Unit 42 says.<\/p>\n<p>Unlike major ransomware groups such as LockBit 3.0, which typically operate a ransomware-as-a-service scheme, hiring affiliates and promoting their RaaS model, Unit 42 says it has not observed Royal taking that approach.<\/p>\n<h2>Elements of the Royal infection chain<\/h2>\n<p>The group has been observed using multiple initial access vectors to secure access into vulnerable systems, including callback phishing, SEO poisoning, exposed Remote Desktop Protocol accounts and compromised credentials.<\/p>\n<p>Once access is secured, the group uses multiple tools to support the intrusion operation, including the TCP\/UDP tunnel Chisel and the Active Directory query tool AdFind.<\/p>\n<p>Royal has been observed compromising victims through a BATLOADER infection, which threat actors usually spread through SEO poisoning. BATLOADER will then attempt to download further payloads to the infected machine, such as VidarStealer, Ursnif\/ISFB and Redline Stealer, along with legitimate tooling such as the system management tool NSudo and the Syncro remote monitoring and management (RMM) tool. Most importantly, BATLOADER has been seen loading Cobalt Strike, often a precursor to ransomware distribution.<\/p>\n<p>Unit 42 researchers have observed Royal operators using PowerTool, a piece of software that has access to the kernel and is ideal for removing endpoint security software. The operators have also been observed executing batch scripts to disable security-related services, and deleting shadow file copies and logs after successful exfiltration.<\/p>\n<h2>Lateral movement through victim\u2019s systems<\/h2>\n<p>Royal uses the network discovery software NetScan to identify and map out various connected computer resources such as other user targets and shares. It has also been observed using PsExec to conduct lateral movement within the infected environments.<\/p>\n<p>Like other ransomware operators, it uses various popular legitimate remote management software to maintain access to the infected environment. The use of Cobalt Strike and related beacons were also observed for command-and-control.<\/p>\n<p>\u201cAn interesting observation of a tool used for maintaining access was the use of Chisel, a TCP\/UDP tunneling tool written in Golang,\u201d Unit 42 says.<\/p>\n<p>\u201c[We] observed Royal threat actors using Rclone, a legitimate tool to manage files between two systems, for exfiltrating stolen data before the deployment of ransomware. We found Rclone deployed in folders such as ProgramData, or renamed and masquerading in other folders. One popular filename used was svchost.exe,\u201d researchers wrote. As well as targeting Windows systems, Royal has expanded its arsenal by developing an ELF variant to impact Linux and ESXi environments.<\/p>\n<p>READ MORE <a href=\"https:\/\/packetstormsecurity.com\/news\/view\/34594\/Royal-Ransomware-Gang-Quickly-Expands-Reign.html\">HERE<\/a><\/p>\n","protected":false},"excerpt":{"rendered":"<p>READ MORE HERE&#8230;<\/p>\n","protected":false},"author":2,"featured_media":51833,"comment_status":"closed","ping_status":"open","sticky":false,"template":"","format":"standard","meta":{"colormag_page_layout":"default_layout","footnotes":""},"categories":[277],"tags":[9690],"class_list":["post-51832","post","type-post","status-publish","format-standard","has-post-thumbnail","hentry","category-cybersecurity-blogs","tag-headlinehackermalwarecybercrimecryptography"],"yoast_head":"<!-- This site is optimized with the Yoast SEO plugin v27.6 - https:\/\/yoast.com\/product\/yoast-seo-wordpress\/ -->\n<title>Royal Ransomware Gang Quickly Expands Reign 2026 | ThreatsHub Cybersecurity News<\/title>\n<meta name=\"description\" content=\"ThreatsHub Cybersecurity News | ThreatsHub.org | Cloud Security &amp; Cyber Threats Analysis Hub. 100% Free OSINT Threat Intelligent and Cybersecurity News.\" \/>\n<meta name=\"robots\" content=\"index, follow, max-snippet:-1, max-image-preview:large, max-video-preview:-1\" \/>\n<link rel=\"canonical\" href=\"https:\/\/www.threatshub.org\/blog\/royal-ransomware-gang-quickly-expands-reign\/\" \/>\n<meta property=\"og:locale\" content=\"en_US\" \/>\n<meta property=\"og:type\" content=\"article\" \/>\n<meta property=\"og:title\" content=\"Royal Ransomware Gang Quickly Expands Reign 2026 | ThreatsHub Cybersecurity News\" \/>\n<meta property=\"og:description\" content=\"ThreatsHub Cybersecurity News | ThreatsHub.org | Cloud Security &amp; Cyber Threats Analysis Hub. 100% Free OSINT Threat Intelligent and Cybersecurity News.\" \/>\n<meta property=\"og:url\" content=\"https:\/\/www.threatshub.org\/blog\/royal-ransomware-gang-quickly-expands-reign\/\" \/>\n<meta property=\"og:site_name\" content=\"ThreatsHub Cybersecurity News\" \/>\n<meta property=\"article:published_time\" content=\"2023-05-09T15:12:54+00:00\" \/>\n<meta property=\"og:image\" content=\"https:\/\/files.scmagazine.com\/wp-content\/uploads\/2023\/05\/Royal-Ransomware-Group.jpg\" \/>\n<meta name=\"author\" content=\"TH Author\" \/>\n<meta name=\"twitter:card\" content=\"summary_large_image\" \/>\n<meta name=\"twitter:creator\" content=\"@threatshub\" \/>\n<meta name=\"twitter:site\" content=\"@threatshub\" \/>\n<meta name=\"twitter:label1\" content=\"Written by\" \/>\n\t<meta name=\"twitter:data1\" content=\"TH Author\" \/>\n\t<meta name=\"twitter:label2\" content=\"Est. reading time\" \/>\n\t<meta name=\"twitter:data2\" content=\"5 minutes\" \/>\n<script type=\"application\/ld+json\" class=\"yoast-schema-graph\">{\"@context\":\"https:\\\/\\\/schema.org\",\"@graph\":[{\"@type\":\"Article\",\"@id\":\"https:\\\/\\\/www.threatshub.org\\\/blog\\\/royal-ransomware-gang-quickly-expands-reign\\\/#article\",\"isPartOf\":{\"@id\":\"https:\\\/\\\/www.threatshub.org\\\/blog\\\/royal-ransomware-gang-quickly-expands-reign\\\/\"},\"author\":{\"name\":\"TH Author\",\"@id\":\"https:\\\/\\\/www.threatshub.org\\\/blog\\\/#\\\/schema\\\/person\\\/12e0a8671ff89a863584f193e7062476\"},\"headline\":\"Royal Ransomware Gang Quickly Expands Reign\",\"datePublished\":\"2023-05-09T15:12:54+00:00\",\"mainEntityOfPage\":{\"@id\":\"https:\\\/\\\/www.threatshub.org\\\/blog\\\/royal-ransomware-gang-quickly-expands-reign\\\/\"},\"wordCount\":965,\"publisher\":{\"@id\":\"https:\\\/\\\/www.threatshub.org\\\/blog\\\/#organization\"},\"image\":{\"@id\":\"https:\\\/\\\/www.threatshub.org\\\/blog\\\/royal-ransomware-gang-quickly-expands-reign\\\/#primaryimage\"},\"thumbnailUrl\":\"https:\\\/\\\/www.threatshub.org\\\/blog\\\/wp-content\\\/uploads\\\/2023\\\/05\\\/royal-ransomware-gang-quickly-expands-reign.jpg\",\"keywords\":[\"headline,hacker,malware,cybercrime,cryptography\"],\"articleSection\":[\"CyberSecurity Blogs\"],\"inLanguage\":\"en-US\"},{\"@type\":\"WebPage\",\"@id\":\"https:\\\/\\\/www.threatshub.org\\\/blog\\\/royal-ransomware-gang-quickly-expands-reign\\\/\",\"url\":\"https:\\\/\\\/www.threatshub.org\\\/blog\\\/royal-ransomware-gang-quickly-expands-reign\\\/\",\"name\":\"Royal Ransomware Gang Quickly Expands Reign 2026 | ThreatsHub Cybersecurity News\",\"isPartOf\":{\"@id\":\"https:\\\/\\\/www.threatshub.org\\\/blog\\\/#website\"},\"primaryImageOfPage\":{\"@id\":\"https:\\\/\\\/www.threatshub.org\\\/blog\\\/royal-ransomware-gang-quickly-expands-reign\\\/#primaryimage\"},\"image\":{\"@id\":\"https:\\\/\\\/www.threatshub.org\\\/blog\\\/royal-ransomware-gang-quickly-expands-reign\\\/#primaryimage\"},\"thumbnailUrl\":\"https:\\\/\\\/www.threatshub.org\\\/blog\\\/wp-content\\\/uploads\\\/2023\\\/05\\\/royal-ransomware-gang-quickly-expands-reign.jpg\",\"datePublished\":\"2023-05-09T15:12:54+00:00\",\"description\":\"ThreatsHub Cybersecurity News | ThreatsHub.org | Cloud Security & Cyber Threats Analysis Hub. 100% Free OSINT Threat Intelligent and Cybersecurity News.\",\"breadcrumb\":{\"@id\":\"https:\\\/\\\/www.threatshub.org\\\/blog\\\/royal-ransomware-gang-quickly-expands-reign\\\/#breadcrumb\"},\"inLanguage\":\"en-US\",\"potentialAction\":[{\"@type\":\"ReadAction\",\"target\":[\"https:\\\/\\\/www.threatshub.org\\\/blog\\\/royal-ransomware-gang-quickly-expands-reign\\\/\"]}]},{\"@type\":\"ImageObject\",\"inLanguage\":\"en-US\",\"@id\":\"https:\\\/\\\/www.threatshub.org\\\/blog\\\/royal-ransomware-gang-quickly-expands-reign\\\/#primaryimage\",\"url\":\"https:\\\/\\\/www.threatshub.org\\\/blog\\\/wp-content\\\/uploads\\\/2023\\\/05\\\/royal-ransomware-gang-quickly-expands-reign.jpg\",\"contentUrl\":\"https:\\\/\\\/www.threatshub.org\\\/blog\\\/wp-content\\\/uploads\\\/2023\\\/05\\\/royal-ransomware-gang-quickly-expands-reign.jpg\",\"width\":1080,\"height\":720},{\"@type\":\"BreadcrumbList\",\"@id\":\"https:\\\/\\\/www.threatshub.org\\\/blog\\\/royal-ransomware-gang-quickly-expands-reign\\\/#breadcrumb\",\"itemListElement\":[{\"@type\":\"ListItem\",\"position\":1,\"name\":\"Home\",\"item\":\"https:\\\/\\\/www.threatshub.org\\\/blog\\\/\"},{\"@type\":\"ListItem\",\"position\":2,\"name\":\"headline,hacker,malware,cybercrime,cryptography\",\"item\":\"https:\\\/\\\/www.threatshub.org\\\/blog\\\/tag\\\/headlinehackermalwarecybercrimecryptography\\\/\"},{\"@type\":\"ListItem\",\"position\":3,\"name\":\"Royal Ransomware Gang Quickly Expands Reign\"}]},{\"@type\":\"WebSite\",\"@id\":\"https:\\\/\\\/www.threatshub.org\\\/blog\\\/#website\",\"url\":\"https:\\\/\\\/www.threatshub.org\\\/blog\\\/\",\"name\":\"ThreatsHub Cybersecurity News\",\"description\":\"%%focuskw%% Threat Intel \u2013 Threat Intel Services \u2013 CyberIntelligence \u2013 Cyber Threat Intelligence - Threat Intelligence Feeds - Threat Intelligence Reports - CyberSecurity Report \u2013 Cyber Security PDF \u2013 Cybersecurity Trends - Cloud Sandbox \u2013- Threat IntelligencePortal \u2013 Incident Response \u2013 Threat Hunting \u2013 IOC - Yara - Security Operations Center \u2013 SecurityOperation Center \u2013 Security SOC \u2013 SOC Services - Advanced Threat - Threat Detection - TargetedAttack \u2013 APT \u2013 Anti-APT \u2013 Advanced Protection \u2013 Cyber Security Services \u2013 Cybersecurity Services -Threat Intelligence Platform\",\"publisher\":{\"@id\":\"https:\\\/\\\/www.threatshub.org\\\/blog\\\/#organization\"},\"alternateName\":\"Threatshub.org\",\"potentialAction\":[{\"@type\":\"SearchAction\",\"target\":{\"@type\":\"EntryPoint\",\"urlTemplate\":\"https:\\\/\\\/www.threatshub.org\\\/blog\\\/?s={search_term_string}\"},\"query-input\":{\"@type\":\"PropertyValueSpecification\",\"valueRequired\":true,\"valueName\":\"search_term_string\"}}],\"inLanguage\":\"en-US\"},{\"@type\":\"Organization\",\"@id\":\"https:\\\/\\\/www.threatshub.org\\\/blog\\\/#organization\",\"name\":\"ThreatsHub.org\",\"alternateName\":\"Threatshub.org\",\"url\":\"https:\\\/\\\/www.threatshub.org\\\/blog\\\/\",\"logo\":{\"@type\":\"ImageObject\",\"inLanguage\":\"en-US\",\"@id\":\"https:\\\/\\\/www.threatshub.org\\\/blog\\\/#\\\/schema\\\/logo\\\/image\\\/\",\"url\":\"https:\\\/\\\/www.threatshub.org\\\/blog\\\/wp-content\\\/uploads\\\/2025\\\/05\\\/Threatshub_Favicon1.jpg\",\"contentUrl\":\"https:\\\/\\\/www.threatshub.org\\\/blog\\\/wp-content\\\/uploads\\\/2025\\\/05\\\/Threatshub_Favicon1.jpg\",\"width\":432,\"height\":435,\"caption\":\"ThreatsHub.org\"},\"image\":{\"@id\":\"https:\\\/\\\/www.threatshub.org\\\/blog\\\/#\\\/schema\\\/logo\\\/image\\\/\"},\"sameAs\":[\"https:\\\/\\\/x.com\\\/threatshub\"]},{\"@type\":\"Person\",\"@id\":\"https:\\\/\\\/www.threatshub.org\\\/blog\\\/#\\\/schema\\\/person\\\/12e0a8671ff89a863584f193e7062476\",\"name\":\"TH Author\",\"image\":{\"@type\":\"ImageObject\",\"inLanguage\":\"en-US\",\"@id\":\"https:\\\/\\\/secure.gravatar.com\\\/avatar\\\/066276f086d5155df79c850206a779ad368418a844da0182ce43f9cd5b506c3d?s=96&d=mm&r=g\",\"url\":\"https:\\\/\\\/secure.gravatar.com\\\/avatar\\\/066276f086d5155df79c850206a779ad368418a844da0182ce43f9cd5b506c3d?s=96&d=mm&r=g\",\"contentUrl\":\"https:\\\/\\\/secure.gravatar.com\\\/avatar\\\/066276f086d5155df79c850206a779ad368418a844da0182ce43f9cd5b506c3d?s=96&d=mm&r=g\",\"caption\":\"TH Author\"}}]}<\/script>\n<!-- \/ Yoast SEO plugin. -->","yoast_head_json":{"title":"Royal Ransomware Gang Quickly Expands Reign 2026 | ThreatsHub Cybersecurity News","description":"ThreatsHub Cybersecurity News | ThreatsHub.org | Cloud Security & Cyber Threats Analysis Hub. 100% Free OSINT Threat Intelligent and Cybersecurity News.","robots":{"index":"index","follow":"follow","max-snippet":"max-snippet:-1","max-image-preview":"max-image-preview:large","max-video-preview":"max-video-preview:-1"},"canonical":"https:\/\/www.threatshub.org\/blog\/royal-ransomware-gang-quickly-expands-reign\/","og_locale":"en_US","og_type":"article","og_title":"Royal Ransomware Gang Quickly Expands Reign 2026 | ThreatsHub Cybersecurity News","og_description":"ThreatsHub Cybersecurity News | ThreatsHub.org | Cloud Security & Cyber Threats Analysis Hub. 100% Free OSINT Threat Intelligent and Cybersecurity News.","og_url":"https:\/\/www.threatshub.org\/blog\/royal-ransomware-gang-quickly-expands-reign\/","og_site_name":"ThreatsHub Cybersecurity News","article_published_time":"2023-05-09T15:12:54+00:00","og_image":[{"url":"https:\/\/files.scmagazine.com\/wp-content\/uploads\/2023\/05\/Royal-Ransomware-Group.jpg","type":"","width":"","height":""}],"author":"TH Author","twitter_card":"summary_large_image","twitter_creator":"@threatshub","twitter_site":"@threatshub","twitter_misc":{"Written by":"TH Author","Est. reading time":"5 minutes"},"schema":{"@context":"https:\/\/schema.org","@graph":[{"@type":"Article","@id":"https:\/\/www.threatshub.org\/blog\/royal-ransomware-gang-quickly-expands-reign\/#article","isPartOf":{"@id":"https:\/\/www.threatshub.org\/blog\/royal-ransomware-gang-quickly-expands-reign\/"},"author":{"name":"TH Author","@id":"https:\/\/www.threatshub.org\/blog\/#\/schema\/person\/12e0a8671ff89a863584f193e7062476"},"headline":"Royal Ransomware Gang Quickly Expands Reign","datePublished":"2023-05-09T15:12:54+00:00","mainEntityOfPage":{"@id":"https:\/\/www.threatshub.org\/blog\/royal-ransomware-gang-quickly-expands-reign\/"},"wordCount":965,"publisher":{"@id":"https:\/\/www.threatshub.org\/blog\/#organization"},"image":{"@id":"https:\/\/www.threatshub.org\/blog\/royal-ransomware-gang-quickly-expands-reign\/#primaryimage"},"thumbnailUrl":"https:\/\/www.threatshub.org\/blog\/coredata\/uploads\/2023\/05\/royal-ransomware-gang-quickly-expands-reign.jpg","keywords":["headline,hacker,malware,cybercrime,cryptography"],"articleSection":["CyberSecurity Blogs"],"inLanguage":"en-US"},{"@type":"WebPage","@id":"https:\/\/www.threatshub.org\/blog\/royal-ransomware-gang-quickly-expands-reign\/","url":"https:\/\/www.threatshub.org\/blog\/royal-ransomware-gang-quickly-expands-reign\/","name":"Royal Ransomware Gang Quickly Expands Reign 2026 | ThreatsHub Cybersecurity News","isPartOf":{"@id":"https:\/\/www.threatshub.org\/blog\/#website"},"primaryImageOfPage":{"@id":"https:\/\/www.threatshub.org\/blog\/royal-ransomware-gang-quickly-expands-reign\/#primaryimage"},"image":{"@id":"https:\/\/www.threatshub.org\/blog\/royal-ransomware-gang-quickly-expands-reign\/#primaryimage"},"thumbnailUrl":"https:\/\/www.threatshub.org\/blog\/coredata\/uploads\/2023\/05\/royal-ransomware-gang-quickly-expands-reign.jpg","datePublished":"2023-05-09T15:12:54+00:00","description":"ThreatsHub Cybersecurity News | ThreatsHub.org | Cloud Security & Cyber Threats Analysis Hub. 100% Free OSINT Threat Intelligent and Cybersecurity News.","breadcrumb":{"@id":"https:\/\/www.threatshub.org\/blog\/royal-ransomware-gang-quickly-expands-reign\/#breadcrumb"},"inLanguage":"en-US","potentialAction":[{"@type":"ReadAction","target":["https:\/\/www.threatshub.org\/blog\/royal-ransomware-gang-quickly-expands-reign\/"]}]},{"@type":"ImageObject","inLanguage":"en-US","@id":"https:\/\/www.threatshub.org\/blog\/royal-ransomware-gang-quickly-expands-reign\/#primaryimage","url":"https:\/\/www.threatshub.org\/blog\/coredata\/uploads\/2023\/05\/royal-ransomware-gang-quickly-expands-reign.jpg","contentUrl":"https:\/\/www.threatshub.org\/blog\/coredata\/uploads\/2023\/05\/royal-ransomware-gang-quickly-expands-reign.jpg","width":1080,"height":720},{"@type":"BreadcrumbList","@id":"https:\/\/www.threatshub.org\/blog\/royal-ransomware-gang-quickly-expands-reign\/#breadcrumb","itemListElement":[{"@type":"ListItem","position":1,"name":"Home","item":"https:\/\/www.threatshub.org\/blog\/"},{"@type":"ListItem","position":2,"name":"headline,hacker,malware,cybercrime,cryptography","item":"https:\/\/www.threatshub.org\/blog\/tag\/headlinehackermalwarecybercrimecryptography\/"},{"@type":"ListItem","position":3,"name":"Royal Ransomware Gang Quickly Expands Reign"}]},{"@type":"WebSite","@id":"https:\/\/www.threatshub.org\/blog\/#website","url":"https:\/\/www.threatshub.org\/blog\/","name":"ThreatsHub Cybersecurity News","description":"%%focuskw%% Threat Intel \u2013 Threat Intel Services \u2013 CyberIntelligence \u2013 Cyber Threat Intelligence - Threat Intelligence Feeds - Threat Intelligence Reports - CyberSecurity Report \u2013 Cyber Security PDF \u2013 Cybersecurity Trends - Cloud Sandbox \u2013- Threat IntelligencePortal \u2013 Incident Response \u2013 Threat Hunting \u2013 IOC - Yara - Security Operations Center \u2013 SecurityOperation Center \u2013 Security SOC \u2013 SOC Services - Advanced Threat - Threat Detection - TargetedAttack \u2013 APT \u2013 Anti-APT \u2013 Advanced Protection \u2013 Cyber Security Services \u2013 Cybersecurity Services -Threat Intelligence Platform","publisher":{"@id":"https:\/\/www.threatshub.org\/blog\/#organization"},"alternateName":"Threatshub.org","potentialAction":[{"@type":"SearchAction","target":{"@type":"EntryPoint","urlTemplate":"https:\/\/www.threatshub.org\/blog\/?s={search_term_string}"},"query-input":{"@type":"PropertyValueSpecification","valueRequired":true,"valueName":"search_term_string"}}],"inLanguage":"en-US"},{"@type":"Organization","@id":"https:\/\/www.threatshub.org\/blog\/#organization","name":"ThreatsHub.org","alternateName":"Threatshub.org","url":"https:\/\/www.threatshub.org\/blog\/","logo":{"@type":"ImageObject","inLanguage":"en-US","@id":"https:\/\/www.threatshub.org\/blog\/#\/schema\/logo\/image\/","url":"https:\/\/www.threatshub.org\/blog\/coredata\/uploads\/2025\/05\/Threatshub_Favicon1.jpg","contentUrl":"https:\/\/www.threatshub.org\/blog\/coredata\/uploads\/2025\/05\/Threatshub_Favicon1.jpg","width":432,"height":435,"caption":"ThreatsHub.org"},"image":{"@id":"https:\/\/www.threatshub.org\/blog\/#\/schema\/logo\/image\/"},"sameAs":["https:\/\/x.com\/threatshub"]},{"@type":"Person","@id":"https:\/\/www.threatshub.org\/blog\/#\/schema\/person\/12e0a8671ff89a863584f193e7062476","name":"TH Author","image":{"@type":"ImageObject","inLanguage":"en-US","@id":"https:\/\/secure.gravatar.com\/avatar\/066276f086d5155df79c850206a779ad368418a844da0182ce43f9cd5b506c3d?s=96&d=mm&r=g","url":"https:\/\/secure.gravatar.com\/avatar\/066276f086d5155df79c850206a779ad368418a844da0182ce43f9cd5b506c3d?s=96&d=mm&r=g","contentUrl":"https:\/\/secure.gravatar.com\/avatar\/066276f086d5155df79c850206a779ad368418a844da0182ce43f9cd5b506c3d?s=96&d=mm&r=g","caption":"TH Author"}}]}},"_links":{"self":[{"href":"https:\/\/www.threatshub.org\/blog\/wp-json\/wp\/v2\/posts\/51832","targetHints":{"allow":["GET"]}}],"collection":[{"href":"https:\/\/www.threatshub.org\/blog\/wp-json\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/www.threatshub.org\/blog\/wp-json\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https:\/\/www.threatshub.org\/blog\/wp-json\/wp\/v2\/users\/2"}],"replies":[{"embeddable":true,"href":"https:\/\/www.threatshub.org\/blog\/wp-json\/wp\/v2\/comments?post=51832"}],"version-history":[{"count":0,"href":"https:\/\/www.threatshub.org\/blog\/wp-json\/wp\/v2\/posts\/51832\/revisions"}],"wp:featuredmedia":[{"embeddable":true,"href":"https:\/\/www.threatshub.org\/blog\/wp-json\/wp\/v2\/media\/51833"}],"wp:attachment":[{"href":"https:\/\/www.threatshub.org\/blog\/wp-json\/wp\/v2\/media?parent=51832"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/www.threatshub.org\/blog\/wp-json\/wp\/v2\/categories?post=51832"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/www.threatshub.org\/blog\/wp-json\/wp\/v2\/tags?post=51832"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}